Blog Archives

The latest version of our flagship software, Oxygen Forensic® Detective is now live and available for download by customers with current licenses.

In addition to added support for dozens of application updates, version 10.4 offers several major new features to enable investigators to extract and examine more data than ever before.

Decrypt WhatsApp Backups

In some cases, you may have a WhatsApp backup file extracted from an SD card or the internal memory of an Android device, but you do not have a key file to decrypt it. Oxygen Forensics now offers a new method to decrypt WhatsApp backups in such cases. All you need to do is import a WhatsApp backup into Oxygen Forensic® Cloud Extractor by clicking “Decrypt WhatsApp backup files” on the startup window. You will be offered two options for backup decryption – using the phone number associated with the backup or a WhatsApp Cloud token extracted from the Android device. Once data is decrypted you can open it in Oxygen Forensic® Detective for detailed analysis and reporting.

Import GrayKey iPhone Images

Oxygen Forensic® Detective 10.4 supports import and parsing of GrayKey images made from Apple iOS including devices ranging from iPhone 5S to iPhone 8 as well as iPhone X, running iOS versions up to 11.4.1. To import a GrayKey image select Import Apple backup/Import GrayKey image from the Import menu on the toolbar. Oxygen Forensic® Detective parses and recovers all available data including contacts, messages, calls, calendars, pictures and files, application data, passwords, geo coordinates, and much more.

Acquire Locked Samsung Devices

Oxygen Forensic® Detective 10.4 enables partial acquisition of locked Samsung devices via MTP. The method is compatible with devices running Android 4.4.x, 5.x, 6.x, 7.x. with the security update no later than October 27, 2017. All you need to do is connect a device via cable in Oxygen Forensic® Extractor and select Search for MTP devices in Automatic connection settings. The software will bypass screen lock and extract pictures and databases that are available via MTP.

Detect Similar Photos with PhotoDNA

We’ve added the ability to identify pictures with similar images using PhotoDNA hash sets. Select Search similar images in the Search menu. The software will automatically find similar images and group them together. This method allows to identify similar images that were, for example, modified or edited and allows forensic experts to find sensitive content within a short period of time.

Extract Wi-Fi Hotspot Connections

We’ve extended the functionality of Oxygen Forensic® KeyScout to support discovery of previously accessed Wi-Fi hotspots and their passwords on the subject’s computer. To collect Wi-Fi hotspots, run KeyScout on a computer. Once they are acquired you will see a Wi-Fi Access Points tab in KeyScout. You can save collected Wi-Fi data to an OCPK file for use in Oxygen Forensic® Cloud Extractor OCPK Viewer.

Examine Bluetooth Connection History

Oxygen Forensic® Detective 10.4 offers extraction of Bluetooth connections from iOS devices. Now you can acquire the information about both paired and nearby devices: MAC address, device name, and last detected time.

Authenticate via Google Prompt

We’ve added the ability to sign in to Google services with 2FA enabled by using Google Prompt. Four authentication types are now available for Google services: SMS, authenticator code, backup code, and Google Prompt.

Extract Qualcomm Devices with Improved EDL

EDL method for Qualcomm devices has been improved in the latest version. Manual selection of EDL bootloader is now available along with automatic bootloader upload. EDL method allows extraction of data from 450+ Qualcomm-based Android devices.

Mobile forensic software is often heralded as the end all, do all, completer of all cases. However, the probability that an examiner will be faced with the dissection of an unsupported app is quite great. Lets take it a step further and point out, at least in a most basic way, how an examiner can uncover valuable data without relying on the automated solution in this often inevitable situation.

In this document we will examine a SQLite database from built in browsers of both Android and iOS file systems. Understanding the examiner has to go the extra mile if they are to find the 0’s and 1’s in the digital haystack the results are significant to the overall case. These examples can be used with any SQLite database that an examiner might run into during the investigation so long as they are not encrypted.

The first step in any investigation should be to run a series of search queries to identify relevant material for the case. This is a necessity. Simply thumbing through the volume of data now found on a mobile device is not practical. I find it extremely beneficial to use Oxygen Forensic® Detective to search within the file content. Searching within files is a necessity to uncover strings within database files that are not fully supported, not supported at all, or simply not decoded.

Figure 1: Search in file content

Figure 2: Database within an app using webkit.

Once you have your search hits, and are focused on the files of interest, the deep dive of these files can start. In my example in Figure 1 I used a regular expression ((\W|^)[\w.+\-]{0,25}@(yahoo|hotmail|gmail)\.com(\W|$)) to search for free (i.e. gmail, yahoo, hotmail) email addresses in an effort to uncover any additional addresses of interest. This search uncovered an email address within a database file within the Android built in browser. The interesting fact this database; it is not the stock database for the android browser, but rather a database created by the application for storage of mobile enabled websites. A website within a browser that stores data? Much like a nesting doll that continues to contain a replica of the doll that housed the smaller doll.

Browsers are ripe with databases similar to this example when the WebKit platform is utilized. The fact that these types of databases are processed by only a few tools, Oxygen Forensic Detective is one of them. So, if a user used the browser to surf their Facebook account, the examiner will surely miss this data if they are simply looking at the Facebook app that was parsed by the mobile solution. In this example, this artifact, housed in this particular Android browser, is one that very few even realize or even understand is available. Again, the critical take-a-way is to comprehend the idea that modern mobile browsers from iOS to Android are packed with these user created manifestations, but few solutions have the ability to even recognize this valuable artifact, let-alone automatically parse the information. However, do not just concentrate on browsers, but also with the built in browsers in messaging, or other apps.

Let us take a look at an example. In Figure 3 is a database file from the Dolphin browser from an Android device. This file is viewed in Oxygen Forensics® SQLite Viewer. This file hosts content (yes content) of gmail messages. Not just the snippet HTML but the actual message in it’s entirety. Granted, the data in the database is only going to be the most recently cached emails when the user visited their email account, but it is possible it contains information critical to your case and no modern tool at this date will parse and decode this information automatically. This is not the gmail app, but the user accessed their gmail page from a browser. Since there are multiple tables that make up a database file, Oxygen Forensic® SQLite Viewer can build and execute SQL Queries across a single file and even multiple database files. You can use the built-in query builder to drag and drop tables and match keys without knowledge of a single SQL command. The Visual Query builder will create the command while you are building the data to be extracted.

Figure 3 : Single table of Webkit database found in Dolphin Browser for Android.

If you have a strong sense of SQL and have custom commands you can use directly in the SQL Query Editor as shown in Figure 4. So, you do not have to rely on the Visual Query builder to create the SQL command just write away to create powerful commands against the database. What is even more impressive is the power to run the query against the free-page area of the main database and WAL files. This means to you….DELETED DATA. So, using the powerful tool built into Oxygen Forensic Detective will be of great assistance.

These treasure troves are created on the fly, per the user’s activity. Now, throw in the multitude of internet browsers, messaging apps, or any with built in browsers it becomes an impossibility that the mobile forensic solution of choice will be able to parse and decode this data in all situations. Again, it comes down to the expert behind the keyboard and their commitment to performing a complete examination.

Oxygen Forensics, Inc. is committed to supporting the forensic community and offers world leading solutions to uncover, recover, and analyze data from mobile devices, cloud services, and IoT devices.

From the days in law enforcement, my work in the private sector, and now within the corporate machine analytics are often a means to the end. In the infancy stage of my mobile forensic career it was all about taking the data, albeit only 2.9 MB of storage, and putting a report together of the 25 contacts, images, videos, and text messages. If multiple devices were at the scene the laborious task of digging through the data to find common contacts, text messages, images, dates and times, and more. Often, in the first courses I taught we used FTK to take in multiple devices and again do some magic in piecing together the event. Quite honestly that was the only way to do some sort of collective analysis. I remember speaking at a Microsoft event in 2009 on the importance of painting a collective digital picture; it really did not make the splash at that time unfortunately. Mobile devices to the forensic community were regarded as a small digital device with limited storage and even less significance to a case. I can tell you today this is certainly not the case; a mobile device’s contents is often pivotal to each and every investigation. And one thing is for sure, these devices and their peripheral storage points hold more investigative material than ever.

Storage capacity and multiple points or end points of storage

This simple concept is something that investigators will continue to deal with for years to come. Knowing the shear limits of investigative time, investigators with today’s data coming from multiple sources must work smarter and use analytics from aggregated sources. Take for example a single case that has multiple devices. The devices belong to different owners and each owner states they do not know one another, but from the initial investigation you believe this is not the case. By using Oxygen Forensic Detective, with built-in analytics, the examiner is able to quickly determine common location data amount multiple devices (Figure 1).

Figure 1. Common locations showing a drone as well as user, tying devices together at the location.

Not only is location information critical to any type of investigation where there are multiple devices, but what about contacts? Pouring over massive amount of contacts over multiple devices to determine common contacts, or outliers can be extremely time consuming. If not for the powerful data aggregation tools built into Oxygen Forensics, Inc. products an investigators time will often be spent pouring over numbers/names/addresses/usernames to determine who is who, and often who knows who. Using the social graph and aggregated contacts can take the identification of common contacts and outliers down to minutes, sometimes seconds (Figure 2).

Figure 2: Quickly show only common contacts between multiple devices.

With the increasingly frustrating backlogs of investigations, the addition of work to the already backbreaking work is not the answer. With the addition of cloud artifacts, and IoT devices an investigators job in digging through the proverbial haystack will compound. However, by having built in analytical tools in a single product will allow today’s investigators to work smarter. Adding powerful search functions, the aggregation of all types of artifacts, multiple simultaneous extractions, and industry leading app parsing/decoding support, Oxygen Forensic Detective should be a part of your toolbag.